Kaspersky experts have uncovered Keenadu, a sophisticated new backdoor targeting tablet firmware as well as system-level and Google Play apps. They also revealed connections between the world’s most prolific Android botnets.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky researchers discovered Keenadu, a sophisticated Android backdoor embedded in tablet firmware that compromises every app on infected devices. The malware injects itself into the Zygote process through a compromised libandroid_runtime.so library, likely introduced via supply chain attack during firmware builds. Keenadu operates as a multi-stage loader enabling remote device control, delivering payloads that hijack browser searches, monetize app installs, and interact with ads. The investigation revealed connections between major Android botnets (Triada, BADBOX, Vo1d, and Keenadu), with the malware found in firmware from multiple tablet manufacturers, system apps, modified popular apps, and even Google Play. Over 13,700 users worldwide were affected, primarily in Russia, Japan, Germany, Brazil, and the Netherlands.

Keenadu the tablet conqueror and the links between major Android botnets

Malicious dropper in libandroid_runtime.so

How Keenadu compromised libandroid_runtime.so

The Fantastic Four: how Triada, BADBOX, Vo1d, and Keenadu are connected